{"id":49178,"date":"2025-04-25T16:39:08","date_gmt":"2025-04-25T16:39:08","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=49178"},"modified":"2025-07-12T05:54:53","modified_gmt":"2025-07-12T05:54:53","slug":"limitation-with-openshift-with-docker-images-compare-to-vanilla-kubernetes","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/limitation-with-openshift-with-docker-images-compare-to-vanilla-kubernetes\/","title":{"rendered":"Limitation with OpenShift with Docker Images compare to Vanilla Kubernetes"},"content":{"rendered":"\n<p>Let me explain <strong>very clearly<\/strong>, so you fully understand <strong>why some images work, some don&#8217;t<\/strong> in OpenShift \ud83d\ude80:<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83c\udfaf Big Picture: OpenShift Is <em>Different<\/em> from Vanilla Kubernetes<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Topic<\/th><th>Kubernetes<\/th><th>OpenShift<\/th><\/tr><\/thead><tbody><tr><td>Can run root containers?<\/td><td>\u2705 Allowed by default<\/td><td>\u274c Not allowed by default (Security!)<\/td><\/tr><tr><td>Need special non-root images?<\/td><td>\u274c No<\/td><td>\u2705 Yes, or modify yourself<\/td><\/tr><tr><td>Handles normal Docker images easily?<\/td><td>\u2705 Yes<\/td><td>\ud83d\udfe1 Sometimes extra care needed<\/td><\/tr><tr><td>Focus<\/td><td>Flexible<\/td><td>Secure by Design<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u2705 OpenShift enforces <strong>Security Context Constraints (SCC)<\/strong><br>\u2705 OpenShift forces containers to run <strong>non-root<\/strong> by default.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udee0 Why nginx-unprivileged worked but others failed?<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Image<\/th><th>Why it Worked \/ Failed<\/th><\/tr><\/thead><tbody><tr><td><code>nginxinc\/nginx-unprivileged<\/code><\/td><td>\u2705 Built specifically to run as <strong>non-root<\/strong>, listens on <strong>8080<\/strong><\/td><\/tr><tr><td><code>registry.redhat.io\/rhscl\/nginx-116-rhel7<\/code><\/td><td>\ud83d\uded1 It&#8217;s a <strong>S2I base image<\/strong>, <strong>not runnable<\/strong> directly<\/td><\/tr><tr><td><code>nginx:latest<\/code> (official)<\/td><td>\ud83d\uded1 Tries to bind port 80, needs root<\/td><\/tr><tr><td><code>bitnami\/nginx<\/code><\/td><td>\u2705 Works if you map to 8080<\/td><\/tr><tr><td>Any random DockerHub NGINX<\/td><td>\ud83d\uded1 Fails unless it listens &gt;1024 and runs non-root<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udccb The 3 Problems You Face with Most Docker Images in OpenShift<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Issue<\/th><th>Why Happens<\/th><th>How to Solve<\/th><\/tr><\/thead><tbody><tr><td>Image expects to run as root<\/td><td>OpenShift blocks root by default<\/td><td>Use non-root images (<code>unprivileged<\/code>) or modify Dockerfile<\/td><\/tr><tr><td>Image tries to bind port 80<\/td><td>Only root can bind ports &lt;1024<\/td><td>Configure container to listen on 8080 or higher<\/td><\/tr><tr><td>Image is an S2I base (not normal app)<\/td><td>Meant for building apps, not direct run<\/td><td>Use <code>oc new-app<\/code> + <code>--strategy=source<\/code> or use proper image<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83e\udde0 In simple words:<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Normal Kubernetes<\/strong>: You can pull almost any DockerHub image and it runs.<\/li>\n\n\n\n<li><strong>OpenShift<\/strong>: You must <strong>care about non-root and correct ports<\/strong>, or your app won&#8217;t run.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\ude80 How to Choose Images for OpenShift:<\/h1>\n\n\n\n<p>\u2705 Prefer <strong>images labeled as &#8220;OpenShift Ready&#8221;<\/strong>, &#8220;non-root&#8221;, or &#8220;unprivileged&#8221;.<br>\u2705 If using random DockerHub images:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Make sure they don&#8217;t require root user.<\/li>\n\n\n\n<li>Make sure they listen on port >1024 (like 8080, 8443).<\/li>\n<\/ul>\n\n\n\n<p>\u2705 For NGINX specifically:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use <code>nginxinc\/nginx-unprivileged<\/code><\/strong> (best for OpenShift).<\/li>\n\n\n\n<li>Or <strong>customize your own nginx Dockerfile<\/strong> to listen on port 8080 and remove <code>user nginx;<\/code> line.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 Quick Visual:<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Image Type<\/th><th>Works Directly in OpenShift?<\/th><th>Extra Work Needed?<\/th><\/tr><\/thead><tbody><tr><td>nginxinc\/nginx-unprivileged<\/td><td>\u2705 Yes<\/td><td>No<\/td><\/tr><tr><td>bitnami\/nginx<\/td><td>\u2705 Mostly<\/td><td>Adjust port sometimes<\/td><\/tr><tr><td>nginx:latest<\/td><td>\u274c No<\/td><td>Must modify (port, user)<\/td><\/tr><tr><td>registry.redhat.io\/rhscl\/nginx-116-rhel7<\/td><td>\ud83d\uded1 Not direct<\/td><td>Use S2I build process<\/td><\/tr><tr><td>Your own custom Docker image<\/td><td>\ud83d\uded1 If root<\/td><td>Modify to non-root<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udce2 Final Cheat Sheet for You<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>What to Check<\/th><th>Why Important<\/th><\/tr><\/thead><tbody><tr><td>Running user (root or non-root)<\/td><td>OpenShift only allows random high UID (non-root)<\/td><\/tr><tr><td>Listening Port<\/td><td>Must be &gt;1024 (8080, 8443, etc.)<\/td><\/tr><tr><td>Image type<\/td><td>Is it runnable app image or just a S2I builder base?<\/td><\/tr><tr><td>OpenShift SCCs (Security Context Constraints)<\/td><td>Forces strict security on containers<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u2728 In one line:<\/h1>\n\n\n\n<p><strong>In OpenShift, containers must be non-root, non-privileged, and ports &gt;1024 \u2014 otherwise they fail!<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\ude80 Bonus<\/h1>\n\n\n\n<p>Would you also like me to give you:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud83d\udce6 How to <strong>convert any Docker image<\/strong> into OpenShift-ready by adjusting Dockerfile?<\/li>\n\n\n\n<li>\ud83d\udd25 Full tutorial: <strong>Best practices for building OpenShift-compliant containers<\/strong>?<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Let me explain very clearly, so you fully understand why some images work, some don&#8217;t in OpenShift \ud83d\ude80: \ud83c\udfaf Big Picture: OpenShift Is Different from Vanilla Kubernetes Topic Kubernetes OpenShift&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[5153],"tags":[],"class_list":["post-49178","post","type-post","status-publish","format-standard","hentry","category-openshift"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49178"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49178\/revisions"}],"predecessor-version":[{"id":49179,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49178\/revisions\/49179"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}